MikroTik Router OS V3.0 User Manual

							add chain=forward dst-address=127.0.0.0/8 action=dropadd chain=forward src-address=224.0.0.0/3 action=dropadd chain=forward dst-address=224.0.0.0/3 action=drop
	 4 
 
 	

add chain=forward protocol=tcp action=jump jump-target=tcpadd chain=forward protocol=udp action=jump jump-target=udpadd chain=forward protocol=icmp action=jump jump-target=icmp
3	
 
 	
 	
 
  
 
 
 

add chain=tcp protocol=tcp dst-port=69 action=drop \comment=deny TFTPadd chain=tcp protocol=tcp dst-port=111 action=drop \comment=deny RPC portmapperadd chain=tcp protocol=tcp dst-port=135 action=drop \comment=deny RPC portmapperadd chain=tcp protocol=tcp dst-port=137-139 action=drop \comment=deny NBTadd chain=tcp protocol=tcp dst-port=445 action=drop \comment=deny cifsadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=deny NFSadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=deny NetBusadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=deny NetBusadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=deny BackOrifficeadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=deny DHCP
5
  
 
  	

add chain=udp protocol=udp dst-port=69 action=drop comment=deny TFTPadd chain=udp protocol=udp dst-port=111 action=drop comment=deny PRC portmapperadd chain=udp protocol=udp dst-port=135 action=drop comment=deny PRC portmapperadd chain=udp protocol=udp dst-port=137-139 action=drop comment=deny NBTadd chain=udp protocol=udp dst-port=2049 action=drop comment=deny NFSadd chain=udp protocol=udp dst-port=3133 action=drop comment=deny BackOriffice
+ 
 
   
  	

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \comment=drop invalid connectionsadd chain=icmp protocol=icmp icmp-options=3:0 action=accept \comment=allow established connectionsadd chain=icmp protocol=icmp icmp-options=3:1 action=accept \comment=allow already established connectionsadd chain=icmp protocol=icmp icmp-options=4:0 action=accept \comment=allow source quenchadd chain=icmp protocol=icmp icmp-options=8:0 action=accept \comment=allow echo requestadd chain=icmp protocol=icmp icmp-options=11:0 action=accept \comment=allow time exceedadd chain=icmp protocol=icmp icmp-options=12:0 action=accept \comment=allow parameter badadd chain=icmp action=drop comment=deny all other types
Page 310 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Address Lists
Document revision 2.8 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
AddressLists
Description
PropertyDescription
Example
General Information
Summary
#	 	 
 	 
 	
 	 
  *$ 	 
    	
 	


Specifications
Packages required:system
License required:level1
Home menu level:/ip firewall address-list
Standards and Technologies:IP
Hardware usage:Not significant
Address Lists
Description
#	 	 
 	  
 	
 
  *$ 	  

 #	 
 	
 	

9+ 	
 	
  	 
 
 	
 	
 		

 

 	 
    	
 
		 (	 











 
 
 9+ 	
 	
 
 	

Property Description
address(IP addressnetmaskIP addressIP address) - specify the IP address or range to be added to
the address list. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
list(name) - specify the name of the address list to add IP address to
Example
Page 311 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 
 	 	
 	
 	 
   

 	 



 
 
 -: &


 
 
 

	
  	 
 
	  
 +

	 
 	 
  

	
 
 
	
 

 
!&%+%21%!))2&&	
[admin@MikroTik] > /ip firewall address-list add list=drop_trafficaddress=192.0.34.166/32[admin@MikroTik] > /ip firewall address-list printFlags: X - disabled, D - dynamic# LIST ADDRESS0 drop_traffic 192.0.34.166[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 \\... action=add-src-to-address-list address-list=drop_traffic[admin@MikroTik] > /ip firewall filter add action=drop chain=inputsrc-address-list=drop_traffic[admin@MikroTik] > /ip firewall address-list printFlags: X - disabled, D - dynamic# LIST ADDRESS0 drop_traffic 192.0.34.1661 D drop_traffic 1.1.1.12 D drop_traffic 10.5.11.8[admin@MikroTik] >
+ 
 
 
 

  
 	


	
 
 
 
	 

 		 
 
 	 

,
 
 
 *$ 	 
 
 

	2 	 


 
 
 
 

Page 312 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Mangle
Document revision .NaN (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
Mangle
Description
PropertyDescription
Notes
Description
Peer-to-PeerTrafficMarking
MarkbyMACaddress
ChangeMSS
General Information
Summary
 	
 	
 	 
 	 *$ 	
 
 	 	  	 	   (	 


 	
 
 

 
 	
 +

	 
 	
 	
   
    
 
 *$
	   ! &5!3$ 	
 A 
Specifications
Packages required:system
License required:level1
Home menu level:/ip firewall mangle
Standards and Technologies:IP
Hardware usage:Increases with count of mangle rules
Mangle
Home menu level:/ip firewall mangle
Description
	
  	 
  %	% 
	
 	 	
  
 
 
 	 	 	
 
 	


 
 ! 	   
 	  8 
 	
 9+  

 	 	
 	 
 
 	
	
  
 	
  	
 	 
 
 

 
 
 
 	 

 
	


 	

 


Property Description
Page 313 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							action(accept|add-dst-to-address-list|add-src-to-address-list|change-dscp|change-mss|
change-ttl|jump|log|mark-connection|mark-packet|mark-routing|passthrough|return|
set-priority|strip-ipv4-options; default:accept) - action to undertake if the packet matches the rule
•accept- accept the packet. No action, i.e., the packet is passed through and no more rules are
applied to it
•add-dst-to-address-list- add destination address of an IP packet to the address list specified by
address-list parameter
•add-src-to-address-list- add source address of an IP packet to the address list specified by
address-list parameter
•change-dscp- change Differentiated Services Code Point (DSCP) field value specified by the
new-dscp parameter
•change-mss- change Maximum Segment Size field value of the packet to a value specified by
the new-mss parameter
•change-ttl- change Time to Live field value of the packet to a value specified by the new-ttl
parameter
•jump- jump to the chain specified by the value of the jump-target parameter
•log- each match with this action will add a message to the system log
•mark-connection- place a mark specified by the new-connection-mark parameter on the entire
connection that matches the rule
•mark-packet- place a mark specified by the new-packet-mark parameter on a packet that
matches the rule
•mark-routing- place a mark specified by the new-routing-mark parameter on a packet. This
kind of marks is used for policy routing purposes only
•passthrough- ignore this rule go on to the next one
•return- pass control back to the chain from where the jump took place
•set-priority- set priority speciefied by the new-priority parameter on the packets sent out
through a link that is capable of transporting priority (VLAN or WMM-enabled wireless
interface)
•strip-ipv4-options- strip IPv4 option fields from the IP packet
address-list(name) - specify the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout(time; default:00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list actions
•00:00:00- leave the address in the address list forever
chain(forward|input|output|postrouting|prerouting) - specify the chain to put a particular rule
into. As the different traffic is passed through different chains, always be careful in choosing the
right chain for a new rule. If the input does not match the name of an already defined chain, a new
chain will be created
comment(text) - free form textual comment for the rule. A comment can be used to refer the
particular rule from scripts
connection-bytes(integerinteger) - match packets only if a given amount of bytes has been
Page 314 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							transfered through the particular connection
•0- means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit(integernetmask) - restrict connection limit per address or address block
connection-mark(name) - match packets marked via mangle facility with particular connection
mark
connection-state(estabilished|invalid|new|related) - interprets the connection tracking analysis
data for a particular packet
•estabilished- a packet which belongs to an existing connection, exempli gratia a reply packet
or a packet which belongs to already replied connection
•invalid- a packet which could not be identified for some reason. This includes out of memory
condition and ICMP errors which do not correspond to any known connection. It is generally
advised to drop these packets
•new- a packet which begins a new TCP connection
•related- a packet which is related to, but not part of an existing connection, such as ICMP
errors or a packet which begins FTP data connection (the later requires enabled FTP connection
tracking helper under /ip firewall service-port)
connection-type(ftp|gre|h323|irc|mms|pptp|quake3|tftp) - match packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content(text) - the text packets should contain in order to match the rule
dscp(integer: 0..63) - DSCP (ex-ToS) IP header field value
dst-address(IP addressnetmaskIP addressIP address) - specify the address range an IP packet is
destined to. Note that console converts entered address/netmask value to a valid network address,
i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list(name) - match destination address of a packet against user-defined address list
dst-address-type(unicast|local|broadcast|multicast) - match destination address type of the IP
packet, one of the:
•unicast- IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
•local- match addresses assigned to routers interfaces
•broadcast- the IP packet is sent from one point to all other points in the IP subnetwork
•multicast- this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit(integertimeintegerdst-address|dst-port|src-addresstime) - limit the packet per second
(pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every
destination IP address / destination port has its own limit. The options are as follows (in order of
appearance):
•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specifies the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
•mode- the classifier(-s) for packet rate limiting
Page 315 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•expire- specifies interval after which recorded IP addresses / ports will be deleted
dst-port(integer: 0..65535integer: 0..65535) - destination port number or range
fragment(yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments
as the system automatically assembles every packet
hotspot(multiple choice: auth|from-client|http|local-dst|to-client) - matches packets received
from clients against various HotSpot conditions. All values can be negated
•auth- true, if a packet comes from an authenticted HotSpotclient
•from-client- true, if a packet comes from any HotSpot client
•http- true, if a HotSpot client sends a packet to the address and port previously detected as his
proxy server (Universal Proxy technique) or if the destination port is 80 and transparent
proxying is enabled for that particular client
•local-dst- true, if a packet has local destination IP address
•to-client- true, if a packet is sent to a client
icmp-options(integerinteger) - match ICMP Type:Code fields
in-bridge-port(name) - actual interface the packet has entered the router through (if bridged, this
property matches the actual bridge port, while in-interface - the bridge itself)
in-interface(name) - interface the packet has entered the router through (if the interface is bridged,
then the packet will appear to come from the bridge interface itself)
ingress-priority(integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise).
The priority may be derived from either VLAN or WMM priority
ipv4-options(any|loose-source-routing|no-record-route|no-router-alert|no-source-routing|
no-timestamp|none|record-route|router-alert|strict-source-routing|timestamp) - match ipv4
header options
•any- match packet with at least one of the ipv4 options
•loose-source-routing- match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
•no-record-route- match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
•no-router-alert- match packets with no router alter option
•no-source-routing- match packets with no source routing option
•no-timestamp- match packets with no timestamp option
•record-route- match packets with record route option
•router-alert- match packets with router alter option
•strict-source-routing- match packets with strict source routing option
•timestamp- match packets with timestamp
jump-target(forward|input|output|postrouting|preroutingname) - name of the target chain to
jump to, if the action=jump is used
layer7-protocol(name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu.
Caution: this matcher needs high computational power
limit(integertimeinteger) - restrict packet match rate to a given limit. Usefull to reduce the amount
of log messages
Page 316 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specify the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
new-connection-mark(name) - specify the new value of the connection mark to be used in
conjunction with action=mark-connection
new-dscp(integer: 0..63) - specify the new value of the DSCP field to be used in conjunction with
action=change-dscp
new-mss(integer) - specify MSS value to be used in conjunction with action=change-mss
new-packet-mark(name) - specify the new value of the packet mark to be used in conjunction
with action=mark-packet
new-priority(integer) - specify the new value of packet priority for the priority-enabled interfaces,
used in conjunction with action=set-priority
•from-dscp- set packet priority form its DSCP field value
•from-ingress- set packet priority from the INGRESS priority of the packet (in case packet has
been received from an interface that supports priorities - VLAN or WMM-enabled wireless
interface; 0 if not set)
new-routing-mark(name) - specify the new value of the routing mark used in conjunction with
action=mark-routing
new-ttl(decrement|increment|setinteger) - specify the new TTL field value used in conjunction
with action=change-ttl
•decrement- the value of the TTL field will be decremented for value
•increment- the value of the TTL field will be incremented for value
•set:- the value of the TTL field will be set to value
nth(integerinteger: 0..15integer) - match a particular Nth packet received by the rule. One of 16
available counters can be used to count packets
•every- match every every+1th packet. For example, if every=1 then the rule matches every 2nd
packet
•counter- specifies which counter to use. A counter increments each time the rule containing
nth match matches
•packet- match on the given packet number. The value by obvious reasons must be between 0
and every. If this option is used for a given counter, then there must be at least every+1 rules
with this option, covering all values between 0 and every inclusively.
out-bridge-port(name) - actual interface the packet is leaving the router through (if bridged, this
property matches the actual bridge port, while out-interface - the bridge itself)
out-interface(name) - interface the packet is leaving the router through (if the interface is bridged,
then the packet will appear to leave through the bridge interface itself)
p2p(all-p2p|bit-torrent|direct-connect|edonkey|fasttrack|gnutella|soulseek|warez|winmx) -
match packets belonging to connections of the above P2P protocols
packet-mark(name) - match the packets marked in mangle with specific packet mark
Page 317 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							packet-size(integer: 0..65535integer: 0..65535) - matches packet of the specified size or size range
in bytes
•min- specifies lower boundary of the size range or a standalone value
•max- specifies upper boundary of the size range
passthrough(yes | no; default:yes) - whether to let the packet to pass further (like action
passthrough) after marking it with a given mark (property only valid if action is mark packet,
connection or routing mark)
port(port) - matches if any (source or destination) port matches the specified list of ports or port
ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port
matchers)
protocol(ddp|egp|encap|ggp|gre|hmp|icmp|idrp-cmtp|igmp|ipencap|ipip|ipsec-ah|
ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtpinteger) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd(integertimeintegerinteger) - attempts to detect TCP and UDP scans. It is advised to assign
lower weight to ports with high numbers to reduce the frequency of false positives, such as from
passive mode FTP transfers
•WeightThreshold- total weight of the latest TCP/UDP packets with different destination ports
coming from the same host to be treated as port scan sequence
•DelayThreshold- delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
•LowPortWeight- weight of the packets with privileged (
						

							•ece- ECN-echo flag (explicit congestion notification)
•fin- close connection
•psh- push function
•rst- drop connection
•syn- new connection
•urg- urgent data
tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet
time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets
arrival time and date or, for locally generated packets, departure time and date
Notes
*

	  	
 
    	

 
 	 	 	
 



  

7	 	
 
 	


	 
 
 
	
 (

 &
 
  	 	
 
	
 	
 
 	
  	
	 
 
  	

  
  
 	
 
0	 

7	  

   $-$ 
 $-$ 
	 		  
 ( 	 	
 
		
Application Examples
Description
 
 

   	  
 
 	
 	

Peer-to-Peer Traffic Marking
 
 
 8	
  (  

 



 

	
( 
	 
  	 O*$ 	
 ,$
  
2 ( 

7

	
(  	 7
7 

 
	 
 ! @ !


	

  	
 
 	 

 
  
	 
 	
 

 	 
 

 8 



 

 
 	 
 
 $-$ 
	  
 
  
	
 /  
 

	 
 		
 


 
  	(   
 
	 
 	

 
 
  
 		

[admin@MikroTik] > /ip firewall mangle add chain=forward \\... p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn[admin@MikroTik] > /ip firewall mangle add chain=forward \\... connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p[admin@MikroTik] > /ip firewall mangle add chain=forward \\... connection-mark=!p2p_conn action=mark-packet new-packet-mark=other[admin@MikroTik] > /ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic0 chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
1 chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
2 chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other[admin@MikroTik] >[admin@MikroTik] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000 \\... max-limit=100000000 priority=8[admin@MikroTik] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000 \\... max-limit=100000000 priority=8[admin@MikroTik] > /queue tree add parent=Public packet-mark=other limit-at=1000000 \
Page 319 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.